q1 ] the meaning of computer security security goals confidentiallity secrecey privacy) ensure that assets are accessed only

by autor hosised parties integrity assets can be modified only by authorised partiie in autohorised ways availability assets are accssible to authorised parities at appropriate times (o pposite of denial of servivce) q2 computer criminals computer crime, any crime involving a computer or aided by the use of one amatuers crackers NOT hackers career criminals what computer crime does not address: courts must interpret what a computer is courts must determine the valuye of the loss q3 name some methods of defence controls multi=pronged approach encryption software controls (internal program controls, independent control programs, oper aitng systems and network system controls, development controls) hardware controls policies and procedures physical controls q4 terminology and background key - value used to encrypt mesage C- E(K,P) where p=plaintext, k = key, E = encryption algorithims, and c = Cipher text symmetric encryption p = D(K, E(K,P) q5 types of encryption substituion one or more characters are rpelaced with another transposition (permutations) - order of characters is reearranged hybrid - combinations of the two types q6 uses a pasage from a book to form the letters at the top of a vingere tablueau computers ipher acharacter bny taking the intersection of the plaintext characte r anmd correspomdong character at the position from the bnook passage relativing easy to break using frequeincy

q6b symmetric and assymetric encriptuion systems assymetric requrires two keys one of whihc is a public key the public key is used q7 whatr are the 3 protpoeties of trustworthy encryption systems based ons ound matheamtics been analazyed by competent experts and found to be sound stood the test of time \threee examples DES data encruptuoijn RSA rivet shamir adelman AES advanced encryption standard q8 secure programs security implies some degree of trust that the program enfornces expectec confid entiality integrity and avilablility include q1 q9 fixing faults software that has mnay faults early on is likely to have many others still waiti ng to be found early computer seucirty work used (penetrate and patch"{ method where analysts searched for and reparirdd fults (tiger team often patch efforts made system less secure Q10 virus - code that attaches to another porgam and copies itself to other pograms treansiet virus - life dpeends on the life of its host resident viurs - locates inside mmeory trojan horse logic bomb time bomb trapdoor (backdoor) worm rabbit q11 how viruses attack a virus is attached to a program the virus is activiated by executing the program, most common viruses today are attached to email when the attachkment is opened, virus is active part 2 prevention of virus infections use only commercial software acquired from reliable well established vendors test all new software on an insoleated com puter

open asttachments only when you know them to be safe make a recoverable system image and stroe it safely make and retain backup of execubatable system files use virus scanners often q12 truths and misconceptoins about viruses virus can only infect wmicrosoft windows - false virus can modify hidden or read onlyf iles - true virus can appear only ind ata files or only in word documents or only in program s - false virus spread on on disks or only in email - false virsu cannot remain in memory after a cold boot - true virus cannot infect hardware - true viruses can be malevolent, benign, or benevolent - true \ q13 examples; pakaistani brain virus internet worm code red worm sql-server slammer web bugs (spyware) q14 targeted malicious code trapdoor - undocumented entry point to a module salami attack (ex interest computation) covert channels; porgrams that leak information (ex hide data in output -storan ge channels - pass information vby usisng presence or absesne of objects in storegae timing channels - pass information using the speed at which things happen q15 ten most critical web application secuirty vulnerabilities - unvalidated parameters broken access controol broken account and session management cross stie scriptiuonmg flaws buffer overtlfows command injection flaws error handling problems insecure ouse of cryptiohgraphy remote adminsitions flaws web and apllication servers misconfigeration q16 'seucurut methods of operaitng systme physical sepeartion different processes use different objects temporalseperation processes executed at different times logical seperation proc ess aperars to be alone cryptpgaphgicseperation processes conceal data anmd computations q17 what are 3 goals in protecting computer objects check every access enforce least privlidge

verify acceptable usage q18 user authenticaiton something theuse knows (password pin paass phrase mothers moaiden name) somethign the use has (id lkey drivers licesne uniform) something the use is (biometrics) MUHST KNOW THIS q19 what is the password and show at least two good examples 0-mutally agreed upon code works, assumed known only to use and suystem first line of defense loose lipped systems -welcome to xyz computing -enter user id: summers -invalid user name -enter user id q20 which 5 services trusted operating systems should provide in a consistent and ef fective way primitive security services -memory protection -file protection -general object accesds control -user authenticaiotn q21 what is a trusted system? trusted syystem - system that empoloyes sufficant hardware and software inteigit y measures to allow its use for processing sensisty inforemation characterisitcs of a good secuirty policity -coverage (comprehensive) -durablility -realism -usefullness -examples q22. name one seucitry poliicy which is NOT miltary policty - chinese wall seuciryt policy q23 what are the computer suecirty models used for security models are used to -test a particiluar policy for ecompleteness and consistency -document a policy -help conceptualise and design and implementation -check whather an implentation meets its requirements q24 trusted system design elements

least privlidge economy of mechanism open design complete mediqatiion permission based speration fo privlidge least common mechanism ease of use q25 seuciry features of ordianry operaing systems authgentication of users protection of memory file zand i/o device access control allolcatgiona and access to general objects enformeent of shariing guaruntee of fair service interporcess communications and synchronisation protecting of operating system protection data q26 kernal part of os that performs lowest level functions -syncronisation, interpocvess communications, emssage passing, interrupt handlin g -security kernal, respoinsible for enforcfing security mechanism for entire OS; provides interface among the hardware, OS, and other parts of computer system q27 what is databsae and name 4 elemtns of each databse databse - collection of data and set of rules trhat organixe the data by speciif ying certain relationships amon g the data records - contain related group of data fields (elements - elemtary data items scheme - logicial structure of database subscheme - view into database q28 three types of databses relational -rows rleation, columns (attributes) -db2, oracle, access hierachical -ims object orientated q29 advantages of using databases shared access minimal redundancy data consistency data integirty contorlled access q30 name at least five seucirty requirements for databases physical database integirty logical database integirity

element integirty audioability access control user authenticaiton availability q31 what is two phase update in dtabases failure computing system in middle of modyfing data intent phase gather rersources needed for updatel write commit flag to the datab ase update phase make permanent changes q32 name at least three types of disclosures in databases exact data bounds negative resulkts existance of data probable values q33 hub or switch connects all stations wiring is standard business telephone wiring (4 pairs in a bundle) two programs -0 client prorgam on client machine -server program on server machine q35 who created tcp/ip standards and who creatred osi standard osi standards - created by ITU-T and the ISO tcp/ip standards crated by IETF q36 seucirty polciies purpose recognise sensitive informationa ssets clarify seucirty responsibilities promote awareness for exisitng meployees guide new employees copyrigths - designed to portect the expression of ideas not the q37 application programs on different machines ccannot community directly they are on differnet machines! q38 IPV6 willr aise the size of the internet address from 32 bits to 128 bits now running out of ip addresses will solve the problem but current work-aroudns are delaying the need for ipv6 addresses q39 arguemtns against risk analysis false sense of precisiona and confidence

hard to perform immutability (filed and forggeotten) lack of accuracy "todays complex internet netowrks cannot be made water tight,, a systema dmin ha s to get everything right all the time;l ahacker only has to find one small hole . a sysaadmin has to be lucky all of the timel a hacker only has to get lucky on ce. it is easier to destroy rather than to cfreate" robert graham lead artchitect of internet seucirty systems q40 what makes a netowrk vulnerable? anonymity many poiints of attack (targets and origins) sharing complexiity of system unknown perimiter unknown path q41 threat precusors port scan social engineering -reconnasiance -bullettin board/chat -docs packet sniffers (telnet/ftp in clear text) q42 network security hthreats denial of service (dos) attacks -verload system with a flood of emssages - or send a single message that crashes the machine q43 what is public infrastructure (PKI) to use a q44 who delveoped SSL delveoped by netscape q45 where is the location of ssl below the application layer q46importance of SSL supported by almost all broswers problems relivativly weak seucirty does not involve security on merchant server does not validate q47 ipsec

why do we need ipsec ip has no seucirty add security to create a virtial private netowrk (VPN) to gi q48 firewalls sits between the corporate netowrk and internet proevesnts unauthjosed access from the internet faliciltates interal users access to the internet pgp preivity good priacy uses public ring mime/S (secuirty multipourpose internet mail extentions) q49 name risk risk risk risk for elements of risk analysis imnpact - loss associated with an event probability - likelyhood that the event will occur control - degree to which we can change the outcome exposure - risk impact * risk probability

q50 name with examples three types of physiocal security natural disasters -flood -fire -ther power loss -ups surge supressors (line conditioners_) human vandals -unauthorsied access and use -theft